4 Replies Latest reply on Aug 9, 2008 8:16 AM by jkva

    Users bookmarking login.jsp causes problems

    kathy90031
    kathy90031 Aug 7, 2008 9:06 AM

      We're running Jboss 4.2.2/JRE 1.6_7

      We've deployed our application with a jaas realm and everything works fine with logging in when the users bookmark the home page.

      However, there are alot of users that have bookmarked the login.jsp and when this happens JBOSS throws the BAD_REQUEST error. I stepped through the code and the user does get authenticated, it's just when JBOSS tried to lookup the URL to forward to, it returns NULL and therefore throws the BAD_REQUEST error.

      Is there a feasble workaround for this issue without additional coding on our part to fix this? We are deploying on multiple webservers and ideally we would not want to write any JBOSS specific code to work around this issue. Keep in mind, that this is not an issue on the our other web servers; even though the user bookmarks login.jsp; they are still redirected to the home page.

      Please advise,

      Katherine Youngblood

      • 664 Views
      • Tags:
        • 1. Re: Users bookmarking login.jsp causes problems
          ragavgomatam
          ragavgomatam Aug 7, 2008 8:50 PM (in response to kathy90031)

          Hi
          We ran into a similar problem before & if I remember correct, secure the

          <url-pattern>
          in your web.xml properly. The url that you put inside this tag is crucial. In our old struts based application our web.xml went like this :- 

          <welcome-file-list>
 <welcome-file>jsp/welcome.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>500</error-code>
 <location>/jsp/error.jsp</location>
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</webresource-name>
 <description>
 Security constraint testing using custom Jaas Module
 </description>
 <url-pattern>*.do</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
</web-resource-collection>


          So basically anything that goes to Struts Action Servlet is protected. Plus Users are not exposed to the jsp's directly. Even if they book-mark a page, they are redirected to welcome page

            • Actions
          • 2. Re: Users bookmarking login.jsp causes problems
            kathy90031
            kathy90031 Aug 8, 2008 8:20 AM (in response to kathy90031)

            Yes, our URL pattern is the same, but I'm not sure you were understanding me correctly. Our pages ARE secure.

            If someone bookmarks http://localhost/WebApp/index.jsp

            then they are directed to the login page, after they login in (and are authenticated, they are directed to the home page.

            If some booksmarks http://localhost/WebApp/login.jsp

            they login in and recieve a BAD REQUEST error EVEN THOUGH they are authenticated. In fact, if they try to go to index.jsp DIRECTLY from the bad request page; they get in.

            I looked at the jboss source code and saw what was happening. Jboss looks up the request to forward to. Since the users are coming from login.jsp; this variable returns NULL. Therefore, Jboss throws the bad request error.

            Is there a workaround I can configure instead of code?

              • Actions
            • 3. Re: Users bookmarking login.jsp causes problems
              ragavgomatam
              ragavgomatam Aug 8, 2008 8:54 PM (in response to kathy90031)

               

              If some booksmarks http://localhost/WebApp/login.jsp

              they login in and recieve a BAD REQUEST error EVEN THOUGH they are authenticated. In fact, if they try to go to index.jsp DIRECTLY from the bad request page; they get in.


              Just wondering..Is it possible to avoid showing the url 
              http://localhost/WebApp/login.jsp

              by indirection ?

                • Actions
              • 4. Re: Users bookmarking login.jsp causes problems
                jkva Aug 9, 2008 8:16 AM (in response to kathy90031)

                 

                "kathy90031" wrote:
                Yes, our URL pattern is the same, but I'm not sure you were understanding me correctly. Our pages ARE secure.

                If someone bookmarks http://localhost/WebApp/index.jsp

                then they are directed to the login page, after they login in (and are authenticated, they are directed to the home page.

                If some booksmarks http://localhost/WebApp/login.jsp

                they login in and recieve a BAD REQUEST error EVEN THOUGH they are authenticated. In fact, if they try to go to index.jsp DIRECTLY from the bad request page; they get in.

                I looked at the jboss source code and saw what was happening. Jboss looks up the request to forward to. Since the users are coming from login.jsp; this variable returns NULL. Therefore, Jboss throws the bad request error.

                Is there a workaround I can configure instead of code?


                You could try creating a valve to check if the user browses directly to the login page or if he uses the normal navigation. If he does, redirect him to a secure page. The j_security_check wil trigger and redirect the user to the login page.

                A valve can be compared with a Servlet filter, but it runs outside the application and has access to otherwise forbidden resources, like Tomcat classes.

                More here:
                http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

                  • Actions